Version V2.0 of the Jhoose Security module has been released and is available via the Optimizely nuget feed.
This update not only squashes several bugs it also introduces several new features to help secure your website.
Removed support for CMS 11
I have taken this opportunity to remove support for CMS11 as I felt that it was sensible to simplify the solution and focus on targeting the latest version of the CMS.
The module now only supports .NET6, 7 and 8.
User interface to manage Security Response Headers
In the previous versions of the module it is possible to control the Security Response headers by configuration, but I have now introduced a new optional user interface to manage these headers. This gives extra control; allowing administrators to easily change the settings post deployment.
Enable User Interface
services.AddJhooseSecurity(_configuration, (o) =>
{
o.UseHeadersUI = true;
});
Adding the user interface is entirely optional, but if you do you will need to review the configuration as the existing settings are not transferred over.
Authentication Policy Overrides
By default any user with the CMSAdmins security role can access the module, but it is possible to change this to an alternate role if required.
services.AddJhooseSecurity(_configuration,
configurePolicy: (p) =>
{
p.RequireRole("CspAdmin");
});
API Access
The security headers can be accessed via a Rest API, this is useful if you are using Optimizely to manage the content, but not presentation.
Access to the Rest API is secured by authentication keys, each consumer must include a valid key in the header. Authentication keys are managed within the module.
Webhooks
Consumers can register a webhook, this will then be called whenever a change is made either the Content Security Policy or the Security Headers.
It is recommended that consumers take this approach as caching the headers and then only refreshing when changes occur will help performance.
Example
POST /api/jhoose/headers HTTP/1.1
Accept: application/json
Content-Type: application/json
X-API-Key: ...
{'nonce': '1234567890' }
Note: Nonce
Each request should include a different nonce value. If you are following the recommendations and caching the response then you should also change the nonce value within the cached value.
Conclusion
More information can be found in my github repo. Any suggestions, comments are greatly appreciated.